Open smohiudd opened 6 months ago
From the veda-auth-central team:
Notes from discussion with Auth Central team Aug 2 meeting:
Prior to veda-auth-central integration with veda-backend we'll need to determine the appropriate Group and Scopes that will be needed.
There are currently six services in veda that require auth:
Both STAC and Ingest api services allow us to create, update & delete STAC records in the catalog.
Should we have the same Scopes for both APIs? for example (note: @alukach I'm not sure if this is the correct naming convention for scopes):
[
"veda:stac:read",
"veda:stac:create",
"veda:stac:update",
"veda:stac:delete"
]
See this spreadsheet for group and scope details for the applications listed above: https://docs.google.com/document/d/1vwqLwVSZH6ZbofWFcLC9CDVueynoVHHHCPdZLK0n1J8/edit#heading=h.pqt43d9p5xzt
Following ADR review meeting on Aug 29 (Meeting notes), the veda auth central team will be working with technical teams to validate the current auth approach or work on an alternative. Given that changes to veda-auth-central are possible, I suggest putting the prototyping on hold until there is more certainty.
veda-auth-central has been integrated into the stac and ingest endpoints in this stack: https://stacadmin.openveda.cloud/api/stac/docs
What
The veda-auth-central team is working on a SSO solution using Keycloak. This will eventually be the authentication solution for all VEDA services.
@alukach started a sample app which reflects how our APIs may use veda-auth-central Keycloak authentication. This solution needs to be prototyped in the Veda STAC API in place of our current Cognito authentication.
PI Objective
Objective DS-2: STAC Admin NASA-IMPACT/veda-architecture#454
Acceptance Criteria
Veda-auth-central authentication integrated with the following:
dev